unbalancedparentheses
commented
1 year ago We didn't think it enough but we think there might be a way to exploit it. We doubled checked with others that this was not used in prod before creating the issue.
Line of the bug: https://github.com/onurinanc/noir-bn254/blob/main/src/bn254/fp6.nr#L215
There's an error in the algorithm causing the function to fail when it is supposed to work.
Step 9 is wrong in the paper. Instead of $c{2} = t{1} \cdot t{4}$ it should be $c{2} = t{1} - t{4}$